WordPress Vulnerability Report — April 30, 2025

WORDPRESS HOSTING
Apr 30, 2025
0


In this report, 241 vulnerabilities have been publicly disclosed. Security patches for 91 of these plugins and themes are available now, so run those updates as soon as possible. If you’re a Solid Security Pro user, the version management tool may have already warned you and updated these plugins, depending on your settings.

Additionally, there are 150 plugin and theme vulnerabilities, and no patch has been available yet. If you’re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked “closed” and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.

Along with poor user account security, vulnerable plugins and themes are among the top reasons why WordPress websites get hacked. Unfortunately, cyberattacks are increasing in volume and sophistication. They’re also increasingly aimed at small to mid-sized businesses.

Table of Contents

Our WordPress Vulnerability Report covers the latest emerging WordPress plugin, theme, and core vulnerabilities. Each vulnerability will have a severity rating of LowMediumHigh, or Critical. Responsible disclosure of vulnerabilities is essential to keeping the WordPress community safe. Please share this report to help spread the word and make WordPress — and the web — more secure.

SolidWP Patches Multiple Plugin Vulnerabilities

On April 29, SolidWP released important security updates across several plugins, including Solid Mail, Solid Performance, Solid Security, and Solid Backups Legacy. These address an unauthenticated XSS (CVE-2025-1123), a serialized injection risk, and a telemetry privilege issue. Users are strongly urged to update immediately.

Read the full advisory and update instructions.

WordPress Core

WordPress 6.8 “Cecil” is here! Launched April 15, 2025, it honors jazz legend Cecil Taylor, whose pioneering piano fused chaos and harmony. Explore its bold features with the same experimental spirit.

Plus, WordCamp Europe 2025 lands in Basel, Switzerland, June 5-7! Connect with WordPress enthusiasts, developers, and pros for three days of learning, networking, and collaboration with the global community.

No new core vulnerabilities were disclosed this week.

WordPress Plugins — 85 Patched / 137 Unpatched

Plugin Slug:
advanced-accordion-block

Installations
7,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
embed-lottie-player

Installations
5,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
acf-google-font-selector-field

Installations
3,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
anything-popup

Installations
3,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
the-pack-addon

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
wpmastertoolkit

Installations
2,000+

Vulnerability:
Path Traversal

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
excel-like-price-change-for-woocommerce-and-wp-e-commerce-light

Installations
700+

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
capturly-optimize-your-website

Installations
100+

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
checkout-field-visibility-for-woocommerce

Installations
80+

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
product-lister-ebay

Installations
70+

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin Slug:
fusedesk

Installations
60+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
appsero-helper

Installations
50+

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

1 Decembrie 1918

Plugin Slug:
1-decembrie-1918

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

360 View

Plugin Slug:
360-view

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Form Builder

Plugin Slug:
abcsubmit

Vulnerability:
Content Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Absolute Links

Plugin Slug:
absolute-links

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Add custom page template

Plugin Slug:
add-custom-page-template

Vulnerability:
Remote Code Execution (RCE)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Add Google +1 (Plus one) social share Button

Plugin Slug:
add-google-plus-one-social-share-button

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Custom Admin-Bar Favorites

Plugin Slug:
admin-bookmarks

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Advanced lazy load

Plugin Slug:
advanced-lazy-load

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

All in One Time Clock Lite

Plugin Slug:
aio-time-clock-lite

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Ajax Comment Form CST

Plugin Slug:
ajax-comment-form-cst

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Configurator Theme Core

Plugin Slug:
amz-configurator-core

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Animate

Plugin Slug:
animate

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Author Box After Posts

Plugin Slug:
author-box-after-posts

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Author Box Plugin With Different Description

Plugin Slug:
author-box-with-different-description

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Availability Calendar

Plugin Slug:
availability

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Awesome Wp Image Gallery

Plugin Slug:
awesome-wp-image-gallery

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

BBCode Deluxe

Plugin Slug:
bbcode-deluxe

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Best Posts Summary

Plugin Slug:
best-posts-summary

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Blog Manager WP

Plugin Slug:
blog-manager-wp

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Buddypress Force Password Change

Plugin Slug:
buddy-press-force-password-change

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Business Contact Widget

Plugin Slug:
business-contact-widget

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Call Now PHT Blog

Plugin Slug:
call-now-coccoc-pht-blog

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Car Park Booking System for WordPress

Plugin Slug:
car-park-booking-system-for-wordpress

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Carousel-of-post-images

Plugin Slug:
carousel-of-post-images

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Contact Form 7 Calendar

Plugin Slug:
cf7-calendar

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

CheckBot

Plugin Slug:
checkbot

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Confirm User Registration

Plugin Slug:
confirm-user-registration

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

COVID-19 (Coronavirus) Update Your Customers

Plugin Slug:
covid-19-alert

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Custom Functions Plugin

Plugin Slug:
custom-functions

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WP Custom Post Popup

Plugin Slug:
custom-post-popup

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

LSD Custom taxonomy and category meta

Plugin Slug:
custom-taxonomy-category-and-term-fields

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Document Management System

Plugin Slug:
dms

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Drop Caps

Plugin Slug:
drop-caps

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Dropdown Content

Plugin Slug:
dropdown-content

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Easy Child Theme Creator

Plugin Slug:
easy-child-theme-creator

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Enhanced Paypal Shortcodes

Plugin Slug:
enhanced-paypal-shortcodes

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

External Markdown

Plugin Slug:
external-markdown

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

FAT Services Booking

Plugin Slug:
fat-services-booking

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Flickr Shortcode Importer

Plugin Slug:
flickr-shortcode-importer

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Floating Social Bar

Plugin Slug:
floating-social-bar

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Flynax Bridge

Plugin Slug:
flynax-bridge

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

Flynax Bridge

Plugin Slug:
flynax-bridge

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

Foodbakery Sticky Cart

Plugin Slug:
foodbakery-sticky-cart

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

Front End Users

Plugin Slug:
front-end-only-users

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Frontend Login and Registration Blocks

Plugin Slug:
frontend-login-and-registration-blocks

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
High

Plugin:

GNA Search Shortcode

Plugin Slug:
gna-search-shortcode

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Peadig’s Google +1 Button

Plugin Slug:
google-1

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Google News

Plugin Slug:
google-news

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Grand Conference

Plugin Slug:
grandconference

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

Tabs

Plugin Slug:
gt-tabs

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

GTDB Guitar Tuners

Plugin Slug:
guitar-tuner

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Hacklog Remote Attachment

Plugin Slug:
hacklog-remote-attachment

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Smart Hashtags [#hashtagger]

Plugin Slug:
hashtagger

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Hospital Management System

Plugin Slug:
hospital-management

Vulnerability:
Arbitrary File Upload

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

Hospital Management System

Plugin Slug:
hospital-management

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

Hospital Management System

Plugin Slug:
hospital-management

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Hospital Management System

Plugin Slug:
hospital-management

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

iCafe Library

Plugin Slug:
icafe-library

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Image Style Hover

Plugin Slug:
image-content-show-hover

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Image Hover Effects For WPBakery Page Builder

Plugin Slug:
image-hover-effects-for-visual-composer

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Inline Text Popup

Plugin Slug:
inline-text-popup

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Integração entre Eduzz e Woocommerce

Plugin Slug:
integracao-entre-eduzz-e-wc-powers

Vulnerability:
Privilege Escalation

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Landing pages and Domain aliases for WordPress

Plugin Slug:
landing-pages-and-domain-aliases

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Libro de Reclamaciones

Plugin Slug:
libro-de-reclamaciones

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

License For Envato

Plugin Slug:
license-envato

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Mad Mimi for WordPress

Plugin Slug:
mad-mimi

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Milat jQuery Automatic Popup

Plugin Slug:
milat-jquery-automatic-popup

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Mini twitter feed

Plugin Slug:
mini-twitter-feed

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Mixcloud Embed

Plugin Slug:
mixcloud-embed

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Modern Polls

Plugin Slug:
modern-polls

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Custom Login and Registration

Plugin Slug:
ms-registration

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Multi-Column Taxonomy List

Plugin Slug:
multi-column-taxonomy-list

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

My Custom Widgets

Plugin Slug:
mycustomwidget

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Navegg Analytics

Plugin Slug:
navegg

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Nepali Post Date

Plugin Slug:
nepali-post-date

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

occupancyplan

Plugin Slug:
occupancyplan

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

PayPal Express Checkout

Plugin Slug:
paypal-express-checkout

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Peekaboo

Plugin Slug:
peekaboo

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Plugin Central

Plugin Slug:
plugin-central

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Posts for Page

Plugin Slug:
posts-for-page

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Print Science Designer

Plugin Slug:
print-science-designer

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

RAphicon

Plugin Slug:
raphicon

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Related Posts via Taxonomies

Plugin Slug:
related-posts-via-taxonomies

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Loan Calculator

Plugin Slug:
repayment-calculator

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Revy

Plugin Slug:
revy

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

SUMO Reward Points

Plugin Slug:
rewardsystem

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin:

RRSSB

Plugin Slug:
rrssb

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

SCSS-Library

Plugin Slug:
scss-library

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Send From

Plugin Slug:
send-from

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

SEUR Oficial

Plugin Slug:
seur

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Simple Google Photos Grid

Plugin Slug:
simple-google-photos-grid

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Social Counter

Plugin Slug:
social-counter

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Tayori Form

Plugin Slug:
tayori

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Time Based Greeting

Plugin Slug:
time-based-greeting

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Twitter Card Generator

Plugin Slug:
twitter-card-generator

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Unsafe Mimetypes

Plugin Slug:
unsafe-mimetypes

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Vasaio QR Code

Plugin Slug:
vasaio-qr-code

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WP Vegas

Plugin Slug:
vegas-fullscreen-background-slider

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Verification SMS with TargetSMS

Plugin Slug:
verification-sms-targetsms

Vulnerability:
Remote Code Execution (RCE)

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

Bulk Assign Linked Products For WooCommerce

Plugin Slug:
wc-bulk-assign-linked-products

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

WP AVCL Automation Helper (formerly WPFlyLeads)

Plugin Slug:
woozap

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Plugin Upgrade Time Out

Plugin Slug:
wordpressplugin-upgrade-time-out-plugin

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WoWHead Tooltips

Plugin Slug:
wowhead-tooltips

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WP Cookie Consent

Plugin Slug:
wp-cookie-consent

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Wp Custom CMS Block

Plugin Slug:
wp-custom-cms-block

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WP Customize Login Page

Plugin Slug:
wp-customize-login-page

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

WP Customize Login Page

Plugin Slug:
wp-customize-login-page

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

wp-cyr-cho

Plugin Slug:
wp-cyr-cho

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Easy Guide

Plugin Slug:
wp-easy-guide

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

WP Filter Post Category

Plugin Slug:
wp-filter-post-categories

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

FoodBakery

Plugin Slug:
wp-foodbakery

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

WP HRM LITE

Plugin Slug:
wp-hrm-lite-human-resource-management-system

Vulnerability:
SQL Injection

Patched in Version:
No Fix

Severity Score:
Critical

Plugin:

JobSearch

Plugin Slug:
wp-jobsearch

Vulnerability:
Broken Authentication

Patched in Version:
No Fix

Severity Score:
High

Plugin:

Meta Keywords & Description

Plugin Slug:
wp-meta-keywords-meta-description

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WP Quiz

Plugin Slug:
wp-quiz

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

WP-reCAPTCHA-bp

Plugin Slug:
wp-recaptcha-bp

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Tooltip

Plugin Slug:
wp-tooltip

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

WordPress Events Calendar Registration & Tickets

Plugin Slug:
wpeventplus

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WPVN

Plugin Slug:
wpvn-username-changer

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

WpZon – Amazon Affiliate Plugin

Plugin Slug:
wpzon

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
High

Plugin:

WS Force Login Page

Plugin Slug:
ws-force-login-page

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Woocommerce Automatic Order Printing

Plugin Slug:
xc-woo-google-cloud-print

Vulnerability:
Insecure Direct Object References (IDOR)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Xpert Tab

Plugin Slug:
xpert-tab

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Zalo Official Live Chat

Plugin Slug:
zalo-official-live-chat

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin:

Zoho Creator Forms

Plugin Slug:
zohocreator

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
No Fix

Severity Score:
Medium

Plugin Slug:
ocean-extra

Installations
600,000+

Vulnerability:
Content Injection

Patched in Version:
2.4.7

Severity Score:
Medium

Plugin Slug:
ocean-extra

Installations
600,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.4.7

Severity Score:
Medium

Plugin Slug:
admin-site-enhancements

Installations
100,000+

Vulnerability:
Bypass Vulnerability

Patched in Version:
7.6.10

Severity Score:
Medium

Plugin Slug:
bdthemes-element-pack-lite

Installations
100,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.10.30

Severity Score:
Medium

Plugin Slug:
woolentor-addons

Installations
100,000+

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
3.1.3

Severity Score:
Medium

Plugin Slug:
jupiterx-core

Installations
90,000+

Vulnerability:
PHP Object Injection

Patched in Version:
4.8.12

Severity Score:
Critical

Plugin Slug:
email-subscribers

Installations
80,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.7.50

Severity Score:
Medium

Plugin Slug:
user-registration

Installations
70,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.2.0

Severity Score:
High

Plugin Slug:
category-posts

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.9.20

Severity Score:
Medium

Plugin Slug:
greenshift-animation-and-page-builder-blocks

Installations
50,000+

Vulnerability:
Arbitrary File Upload

Patched in Version:
11.4.6

Severity Score:
High

Plugin Slug:
simple-tags

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.30.0

Severity Score:
Medium

Plugin Slug:
visualcomposer

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
45.11.0

Severity Score:
Medium

Plugin Slug:
wp-import-export-lite

Installations
50,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.9.28

Severity Score:
Medium

Plugin Slug:
pirate-forms

Installations
40,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.6.0

Severity Score:
Medium

Plugin Slug:
secupress

Installations
40,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.3.10

Severity Score:
Medium

Plugin Slug:
gutenverse

Installations
30,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.0.0

Severity Score:
Medium

Plugin Slug:
instagram-slider-widget

Installations
30,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.2.9

Severity Score:
Medium

Plugin Slug:
powerpress

Installations
30,000+

Vulnerability:
Arbitrary File Upload

Patched in Version:
11.12.6

Severity Score:
Critical

Plugin Slug:
uicore-elements

Installations
30,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.0

Severity Score:
Medium

Plugin Slug:
icegram

Installations
20,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.1.32

Severity Score:
Medium

Plugin Slug:
seriously-simple-podcasting

Installations
20,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.10.0

Severity Score:
Medium

Plugin Slug:
advanced-form-integration

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.100.0

Severity Score:
Medium

Plugin Slug:
alttext-ai

Installations
10,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.9.94

Severity Score:
Medium

Plugin Slug:
gutenkit-blocks-addon

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.2.3

Severity Score:
Medium

Plugin Slug:
html-forms

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.5.3

Severity Score:
Medium

Plugin Slug:
link-library

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
7.8.1

Severity Score:
Medium

Plugin Slug:
mangboard

Installations
10,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.8.7

Severity Score:
Medium

Plugin Slug:
prevent-direct-access

Installations
10,000+

Vulnerability:
Sensitive Data Exposure

Patched in Version:
2.8.8.1

Severity Score:
Medium

Plugin Slug:
prevent-direct-access

Installations
10,000+

Vulnerability:
Broken Access Control

Patched in Version:
2.8.8.3

Severity Score:
Medium

Plugin Slug:
wordpress-simple-paypal-shopping-cart

Installations
10,000+

Vulnerability:
Bypass Vulnerability

Patched in Version:
5.1.3

Severity Score:
Medium

Plugin Slug:
wordpress-simple-paypal-shopping-cart

Installations
10,000+

Vulnerability:
Sensitive Data Exposure

Patched in Version:
5.1.3

Severity Score:
Medium

Plugin Slug:
bit-form

Installations
9,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.18.4

Severity Score:
Medium

Plugin Slug:
ws-form

Installations
9,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.10.36

Severity Score:
Medium

Plugin Slug:
theme-switcha

Installations
6,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.4.1

Severity Score:
Medium

Plugin Slug:
custom-related-posts

Installations
4,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.7.5

Severity Score:
Medium

Plugin Slug:
upsell-order-bump-offer-for-woocommerce

Installations
4,000+

Vulnerability:
Other Vulnerability Type

Patched in Version:
3.0.1

Severity Score:
Medium

Plugin Slug:
watu

Installations
4,000+

Vulnerability:
SQL Injection

Patched in Version:
3.4.4

Severity Score:
High

Plugin Slug:
affiliate-toolkit-starter

Installations
2,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
3.7.4

Severity Score:
Medium

Plugin Slug:
cf7-message-filter

Installations
2,000+

Vulnerability:
SQL Injection

Patched in Version:
1.6.33

Severity Score:
High

Plugin Slug:
skt-blocks

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.1

Severity Score:
Medium

Plugin Slug:
sky-elementor-addons

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.0.3

Severity Score:
Medium

Plugin Slug:
wp-recall

Installations
2,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
16.26.12

Severity Score:
Medium

Plugin Slug:
appointment-booking-calendar

Installations
1,000+

Vulnerability:
Broken Access Control

Patched in Version:
1.3.93

Severity Score:
Medium

Plugin Slug:
appointment-booking-calendar

Installations
1,000+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.3.93

Severity Score:
High

Plugin Slug:
event-post

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.10.0

Severity Score:
Medium

Plugin Slug:
fable-extra

Installations
1,000+

Vulnerability:
SQL Injection

Patched in Version:
1.0.7

Severity Score:
Critical

Plugin Slug:
fable-extra

Installations
1,000+

Vulnerability:
Local File Inclusion

Patched in Version:
1.0.7

Severity Score:
Critical

Plugin Slug:
fable-extra

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.0.7

Severity Score:
Medium

Plugin Slug:
list-last-changes

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.2

Severity Score:
Medium

Plugin Slug:
simple-download-counter

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.2.1

Severity Score:
Medium

Plugin Slug:
sirv

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
7.5.4

Severity Score:
Medium

Plugin Slug:
smart-maintenance-mode

Installations
1,000+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.5.2

Severity Score:
Medium

Plugin Slug:
my-tickets

Installations
900+

Vulnerability:
Privilege Escalation

Patched in Version:
2.0.17

Severity Score:
High

Plugin Slug:
mpl-publisher

Installations
800+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
2.18.1

Severity Score:
Medium

Plugin Slug:
frontend-dashboard

Installations
700+

Vulnerability:
SQL Injection

Patched in Version:
2.2.6

Severity Score:
Critical

Plugin Slug:
media-library-downloader

Installations
700+

Vulnerability:
Broken Access Control

Patched in Version:
1.3.2

Severity Score:
Medium

Plugin Slug:
easy-notify-lite

Installations
600+

Vulnerability:
Local File Inclusion

Patched in Version:
1.1.37

Severity Score:
High

Plugin Slug:
vikrestaurants

Installations
600+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.4

Severity Score:
High

Plugin Slug:
webtexttool

Installations
600+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.6.3

Severity Score:
Medium

Plugin Slug:
cm-answers

Installations
400+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
3.3.4

Severity Score:
Medium

Plugin Slug:
crossword-compiler-puzzles

Installations
400+

Vulnerability:
Arbitrary File Upload

Patched in Version:
5.3

Severity Score:
Critical

Plugin Slug:
linked-variation

Installations
400+

Vulnerability:
Broken Access Control

Patched in Version:
1.0.4

Severity Score:
Medium

Plugin Slug:
simple-calendar-for-elementor

Installations
400+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
1.6.5

Severity Score:
Medium

Plugin Slug:
tax-switch-for-woocommerce

Installations
300+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.4.3

Severity Score:
Medium

Plugin Slug:
v-form

Installations
300+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
3.1.15

Severity Score:
Medium

Plugin Slug:
cm-ad-changer

Installations
200+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
2.0.6

Severity Score:
Medium

Plugin Slug:
wp-mailing-group

Installations
200+

Vulnerability:
SQL Injection

Patched in Version:
3.0.5

Severity Score:
High

Plugin Slug:
ableplayer

Installations
100+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.2

Severity Score:
Medium

Plugin Slug:
recover-wc-abandoned-cart

Installations
100+

Vulnerability:
Cross Site Request Forgery (CSRF)

Patched in Version:
2.3

Severity Score:
Medium

Plugin Slug:
wt-display-breeze

Installations
90+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.2.4

Severity Score:
Medium

Plugin Slug:
control-listings

Installations
80+

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.0.5

Severity Score:
High

Plugin Slug:
aeropage-sync-for-airtable

Installations
70+

Vulnerability:
Broken Access Control

Patched in Version:
3.3.0

Severity Score:
Medium

Plugin Slug:
aeropage-sync-for-airtable

Installations
70+

Vulnerability:
Arbitrary File Upload

Patched in Version:
3.3.0

Severity Score:
High

Plugin:

AnalyticsWP

Plugin Slug:
analyticswp

Vulnerability:
SQL Injection

Patched in Version:
2.1.5

Severity Score:
Critical

Plugin:

Anps Theme

Plugin Slug:
anps_theme_plugin

Vulnerability:
Content Injection

Patched in Version:
1.1.2

Severity Score:
Medium

Plugin:

BeerXML Shortcode

Plugin Slug:
beerxml-shortcode

Vulnerability:
Server Side Request Forgery (SSRF)

Patched in Version:
0.8

Severity Score:
Medium

Plugin:

BM Content Builder

Plugin Slug:
bm-builder

Vulnerability:
Broken Access Control

Patched in Version:
3.16.3

Severity Score:
High

Plugin:

cookieBAR

Plugin Slug:
cookiebar

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.10.1

Severity Score:
Medium

Plugin:

Mayosis Core

Plugin Slug:
mayosis-core

Vulnerability:
Arbitrary File Download

Patched in Version:
5.4.2

Severity Score:
High

Plugin:

Memberpress

Plugin Slug:
memberpress

Vulnerability:
Sensitive Data Exposure

Patched in Version:
1.12.0

Severity Score:
Medium

Plugin:

Order Delivery Date for WP e-Commerce

Plugin Slug:
order-delivery-date

Vulnerability:
Privilege Escalation

Patched in Version:
12.3.1

Severity Score:
Critical

Plugin Slug:
post-in-page-for-elementor

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
1.0.2

Severity Score:
Medium

Plugin:

Service Finder Booking

Plugin Slug:
sf-booking

Vulnerability:
Privilege Escalation

Patched in Version:
6.0

Severity Score:
Critical

Plugin:

eForm – WordPress Form Builder

Plugin Slug:
wp-fsqm-pro

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
4.19

Severity Score:
High

Plugin:

Xpro Elementor Addons – Pro

Plugin Slug:
xpro-elementor-addons-pro

Vulnerability:
Remote Code Execution (RCE)

Patched in Version:
1.4.10

Severity Score:
High

WordPress Themes — 6 Patched / 13 Unpatched

Theme Slug:
arrival

Downloads
126,548

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Theme Slug:
cww-portfolio

Downloads
85,776

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Theme Slug:
grace-mag

Downloads
70,110

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Theme Slug:
opstore

Downloads
82,188

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Theme Slug:
xews-lite

Downloads
14,655

Vulnerability:
Local File Inclusion

Patched in Version:
No Fix

Severity Score:
High

Theme:

Altair

Theme Slug:
altair

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
Critical

Theme:

Hotel + Bed and Breakfast Booking Calendar Theme | Bellevue

Theme Slug:
bellevuex

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Theme:

CiyaShop

Theme Slug:
ciyashop

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
Critical

Theme:

Grand Restaurant WordPress

Theme Slug:
grandrestaurant

Vulnerability:
PHP Object Injection

Patched in Version:
No Fix

Severity Score:
Critical

Theme:

Grand Restaurant WordPress

Theme Slug:
grandrestaurant

Vulnerability:
Arbitrary Content Deletion

Patched in Version:
No Fix

Severity Score:
High

Theme:

Grand Restaurant WordPress

Theme Slug:
grandrestaurant

Vulnerability:
Path Traversal

Patched in Version:
No Fix

Severity Score:
Critical

Theme:

JNews

Theme Slug:
jnews

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Theme:

Reales WP

Theme Slug:
reales-wp-real-estate-wordpress-theme

Vulnerability:
Broken Access Control

Patched in Version:
No Fix

Severity Score:
Medium

Theme:

EduMall

Theme Slug:
edumall

Vulnerability:
Local File Inclusion

Patched in Version:
4.3.0

Severity Score:
High

Theme:

Kleo

Theme Slug:
kleo

Vulnerability:
Broken Access Control

Patched in Version:
5.4.4

Severity Score:
Medium

Theme:

Vikinger

Theme Slug:
vikinger

Vulnerability:
Privilege Escalation

Patched in Version:
1.9.31

Severity Score:
High

Theme:

wProject

Theme Slug:
wproject

Vulnerability:
Privilege Escalation

Patched in Version:
5.8.0

Severity Score:
High

Theme:

wProject

Theme Slug:
wproject

Vulnerability:
Settings Change

Patched in Version:
5.8.0

Severity Score:
High

Theme:

wProject

Theme Slug:
wproject

Vulnerability:
Cross Site Scripting (XSS)

Patched in Version:
5.8.0

Severity Score:
High

Solid Security is part of Solid Suite — The best foundation for WordPress websites.

Every WordPress site needs security, backups, and management tools. That’s Solid Suite — an integrated bundle of three plugins: Solid Security, Solid Backups, and Solid Central. You also get access to Solid Academy’s learning resources for WordPress professionals. Build your next WordPress website on a solid foundation with Solid Suite!

Get Solid Security



Source link

9 Key Steps to Reduce RTO (Return to Origin) in Ecommerce | Nexcess
Buidling a Freight Management System

Leave a Reply